General ideas for improving the tool #1303
Description
Hi team,
I love the tool and hope that it will be so cool and free in future.
I want to suggest to increase the tools capability, and make it a full forensic investigation tool.
I am sure that you all know it, but I still want to say it.
For this, we have to think about the Five Ws. I prefer to start with the question "When" and follow with "What".
So, in our case, I suggest to:
- Parse as many time stamps as possible, with events related to it.
- Use full text indexing for additional indicators, as it is done now.
Good example for parsers approach is "plaso". Still, IPED is a complete tool on its own.
Most of the features are already present, just need adjustment:
- Add parsed/extracted artifacts in the main table. It is a specially useful in the timeline view
- Some of the table details will be missing, for the extracted records. It is OK. Most important that when you search for an indicator you'll get a timestamp or related indicator that can be farther correlated.
- The extracted records should be "marked" in order to recognize/hide or filter them
- Bookmarks approach is OK for the events tagging. May need to be extended.
- Another tool used in such cases is Timesketch
- Make a possibility to have the search results in a separate window and show the selected item in the timeline view with the possibility to scroll and mark related events
- Maybe, something similar to the Excel search box
Please consider my suggestions and fill free to improve or criticize.
Thank you,
Anatoliy